Thursday, January 12, 2017

AX 2012 Security Unwrapped Series - Explaining Security Menu

This post will unwrap the Dynamics AX Security Menus and their functions.  It is located on the System administration Setup menu (see below).  I've also provided a diagram the general format of the security form.  There is a lot of information provided so I created a from template that describes the type of information that is displayed in each pane.
Setup Menu in AX
Diagram of Security Form
Assign users to roles
This menu item will allow you to assign multiple users to a role.  It is also a good form to use when you want to inquire on who is assigned a certain role.  When you first enter this form, it will display the list of roles in the left pane.  Click on a role to see the list of users directly assigned to this role in the lower middle pane.  I say directly because if you have embedded roles (this is discussed below in Security roles), then this form will not show those assignments.

The lower middle pane will display all AX users with a check mark beside the users that have access.  In the right pane, there are 2 sections displayed.  The top section shows the duties and privileges in the role and the lower section shows the roles of the selected user.  Select the Manually assign / exclude function in the lower middle pane to bring up another window where you can select additional users to add to this role. 
Assign users to roles - lower middle pane
If you want assign roles specifically to a single user, then it is simpler to use the edit user form.  This menu item is in the System administration Common menu under Users > Users.  Select the user to edit.  From this form there are several function, you can Assign roles or Remove multiple roles to a user as well as limit users access by company using Assign organization function.
Common menu and Users edit form
Assign organizations function allows you to limit a user to a specific company or list of company.  By default when you assign a user to a role, they have the access in all companies.  This function will allow you to modify the access of the specific user and specific role that has been selected.  As you can see below, when you enter the form you will see that Grant access to all organizations is selected since it is the default.  Select Grant access to specific organizations individually, the list of all company entities defined will then be displayed.  Select the desired company and click Grant.  The companies granted will be noted in the lower pane as seen below.  Use Revoke if you wish to remove a company from a user.
Assign organizations sub form
Security roles
Use this menu item to view, create, maintain, or delete roles.  When you first enter this form, the roles will be displayed in the left pane.  Navigate to an existing role in left pane.  The upper middle pane displays the AOT name, Name, and description.  The lower middle pane is where you'll see the contents of the role and this also where you can add or remove duties and privileges.  

If you want to embed a role within a role, in the left pane right click and hold a role and drag it to another role and release.  You will see the role in the lower middle pane and the role will have a + that you can expand the view in the left pane.

You can create a new role by clicking on New function for the left pane, then define it using the upper middle pane, and add duties and privileges using the lower middle pane.  
Security roles - lower middle pane
Security Privileges
Displayed in the left pane are the security privileges in hierarchical order by processes, duties, and privileges.  Click on the + sign to expand.  In the lower middle pane, you'll see the details of the item that is selected in the left pane.  If you select a privilege, it will display the permissions and allow you (1) add or remove privileges and (2) modify the access the access level of a permission.  Warning: if you change the access level, you are changing it globally for that permission!
Security privileges - lower middle pane
You can also create a new privilege.  Navigate to a duty in the left pane, click on the New function.  Define the privilege in the upper middle pane, and then add the desired permissions using lower middle pane.  You can search for existing privileges by navigating by process cycle (as on option), find the desired privilege, and select permissions and set access levels.
Add permission sub-form
Other menu items on the Security Setup Menu
Security entry point permissions is the Security Development Tool.  This will be discussed in detail in a future post in this series.
Record level security is a AX 2012 feature, it is being deprecated in Dynamics 365 for Operations.  It will be replace by Extensible Data Security (XDS).  At a high level, either function allows you to restrict access to only a part of a table.  For example, restricted access to only a segment of sales orders.
External roles displays roles that are intended to be assigned to users outside of the company, typically customers or vendors.
Segregation of duties is another sub-menu under Setup.  This will be the focus of a future post in this series.

1 comment: